hono — Greenflagged

Web framework built on Web Standards

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

yusukebe

Keywords

honowebapphttpapplicationframeworkroutercloudflareworkersfastlycomputedenobunlambdanodejs

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from maintainer to GitHub Actions CI/CD publishing with SLSA attestation; expected for this project.	ai	2026/06/18
typosquat	typosquat.levenshtein:pino	AI (typosquat): Hono is a major web framework with 34.7M weekly downloads and 1591 days of history. The Levenshtein similarity to 'pino' is purely coincidental; no impersonation intent.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Hono is a well-established package with strong ecosystem trust signals. Lack of Sigstore provenance is not a meaningful risk indicator here.	ai	2026/04/24

Versions (showing 13 of 13)

Version	Deps	Published
4.12.26	0 / 25	2026-06-18
4.12.25	0 / 27	2026-06-09
4.12.24	0 / 27	2026-06-08
4.12.23	0 / 28	2026-05-25
4.12.22	0 / 28	2026-05-22
4.12.21	0 / 28	2026-05-19
4.12.20	0 / 28	2026-05-19
4.12.19	0 / 28	2026-05-16
4.12.18	0 / 28	2026-05-06
4.12.17	0 / 28	2026-05-05
4.12.16	0 / 28	2026-04-30
4.12.15	0 / 28	2026-04-24
4.12.14	0 / 28	2026-04-15

v4.12.26

2 findings

HIGH Publisher changed: yusukebe → GitHub Actions (on 2026-06-18) provenance

This version was published by a different npm account than previous versions on 2026-06-18. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.